The Web Browser Control and the Silent Flag

Applications that host the Web Browser Control have the opportunity to set the Silent flag to suppress all dialogs that the web browser control may generate. In some cases, this is useful, because it can help ensure a “quiet” user experience without unexpected popups.

Current versions of the .NET Framework expose the Web Browser Control’s ambiguously-named intrinsic Silent property misleadingly, as ScriptErrorsSuppressed, implying that error dialog suppression is all that the property does.

Developers should be aware, however, of the full implications of setting this flag. While script errors can be shown in dialogs, there are many other dialogs that may show depending on the HTML content in the browser and the network environment in which it is running.

For instance, one developer notes that his application doesn’t work behind an authenticating web proxy. When he runs in an environment with such a proxy (which can easily be simulated using the option on the Fiddler Rules menu), he always sees an error page for every URL:

That’s because the Web Browser Control’s Silent flag results in setting BINDF_NOUI in URLMon, which in turn sets INTERNET_FLAG_NO_UI in WinINET. The flags suppress the Proxy Authentication dialog box. If you set the Silent Flag to false, navigations in this environment will prompt the user for proxy credentials if needed:

Similarly, when visiting a page that requires an ActiveX control that the user has not installed, setting the Silent flag results in the control failing to download and run:

If the Silent flag is unset, the user will see an Authenticode or UAC prompt to install the needed ActiveX control:

And the control will then load after the user agrees to install it:

Another instance of this problem came up a month after I first posted this article. An internal team was always seeing an error page for a HTTPS site, but the site worked fine in the regular IE browser. It turns out that the server was secured with a certificate that specified an invalid Certificate Revocation List url, and thus the revocation check always fails. IE itself ignores revocation unavailable errors, but the Web Browser control does not– it instead shows a popup Security Alert with the text Revocation information for the security certificate for this site is not available. Do you want to proceed?. When the Web Browser Control is in Silent mode, the prompt is suppressed and No is automatically chosen.

Generally speaking, the Silent/ScriptErrorsSuppressed property should only be set if you control both the content that the user will see (in which case, you’d be better off fixing any script errors in the markup) and if you control the network environment in which the application runs (e.g. no non-silent authentication methods).